MALICIOUS
422
Risk Score
Heuristics 10
-
Composite Moniker — CVE-2017-8570 (drops SCT script) critical CVE_2017_8570RTF \objdata decodes to OLE data containing the Composite Moniker — CVE-2017-8570 (drops SCT script) CLSID — the vulnerable control/moniker is embedded directly in the document's object stream, the delivery shape of this exploit. RTF objects auto-render when Word opens the file.
-
Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOREquation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
-
CVE-2017-0199 / CVE-2017-8759 (OLE2Link auto-activated remote loader) critical RTF_OLE2LINK_REMOTE_MONIKER_LOADERRTF embeds an OLE2Link object that is force-activated with \objupdate (no user interaction on open) and fetches a remote second stage — through an INCLUDETEXT/INCLUDEPICTURE field or the OLE object's own moniker. This is the OLE2Link auto-update attack path shared by CVE-2017-0199 (server returns an HTA/scriptlet) and CVE-2017-8759 (server returns a SOAP WSDL the .NET parser compiles). Office processes the fetched response through the same code path; the specific CVE depends on the now-unreachable server content type.
-
Composite Moniker in RTF OLE object high RTF_COMPOSITE_MONIKER_RELATEDRTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
-
ClamAV: Rtf.Dropper.Agent-7110189-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Dropper.Agent-7110189-0
-
PE header (with DOS stub) in hex data critical RTF_MZ_HEXHex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 6 \objdata section(s) — embedded OLE objects
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://sepacloud.eu/file/Documents/document_78219.jpg In RTF body
- https://sepacloud.eu/file/Documents/document_78219.jpg\ul0\cf0}}}}\f0\fs22\parIn RTF body
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00018651.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x18651 | 1059 bytes |
SHA-256: 0100e2dca3c68cd5fb34c6082a4ea42511b121985c7f7d7fadfed21b52d602eb |
|||
objdata_01_off00018eca.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x18ECA | 339660 bytes |
SHA-256: 0bc20f9f0dd45d237bd84435472954bac98054231051812fc3463605aa92be5e |
|||
objdata_02_off000beca0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xBECA0 | 336 bytes |
SHA-256: a3943c67aa3459bee72ce02f6cf2010ce1f38218ceb09de6a41c88506936264a |
|||
objdata_03_off000bef74.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xBEF74 | 570 bytes |
SHA-256: 9e551386ea439717b26b71f19dce2e70ccfad32449088429a1a0e86a3bd9a527 |
|||
objdata_04_off000bf44f.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xBF44F | 2633 bytes |
SHA-256: 7b8302b0c2db3ee011f9dd8467bed08b104a5998fb54ac1f164d0a75f2e24342 |
|||
objdata_05_off000c0959.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xC0959 | 4679 bytes |
SHA-256: 1fee231696679796f1dc21edced3d7608d638c56e470178a34b4b6d7051d634d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.